Date: Fri, 29 Mar 2024 10:02:14 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: freebsd-security@freebsd.org Subject: Disclosed backdoor in xz releases - FreeBSD not affected Message-ID: <1C17C92B-AFC2-4B7A-9594-25864156A546@tetlows.org>
index | next in thread | raw e-mail
[-- Attachment #1 --] FreeBSD is not affected by the recently announced backdoor included in the 5.6.0 and 5.6.1 xz releases. All supported FreeBSD releases include versions of xz that predate the affected releases. The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc. The FreeBSD ports collection does not include xz/liblzma. Reference: https://www.openwall.com/lists/oss-security/2024/03/29/4 Best regards, Gordon Tetlow Hat: security-officer [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmYG9BYACgkQ5fe8y6O9 3fiA6Qf/Y0LUoDzuUOc38MX4MkdulNP3BT1BXqbid7QgbetS/HswzsYumESiOtDh cO8kmSCw9tPuJZ2U0KjycxMRt9JbmxOShpZPFu/UW7HR1BbjkcZKijvVbprL/3QK FsUHO/4knFQnX2y/3XGtD87zZ4kvEBEn1claWcCoPsoSTgbBMjyUVKTqsW0hY5bn 05sx6K6TjMJwMyBr1NEKCyZLS2UWLobtdGFettW1vXObYI4Nr9ONHBg0VU4wMyO9 SEOjVcB2evCdmdxOuiOtPlwxiTBAOXPSU9M3a+w8qsdxW3mHxsFp3yb3qD7G2ZWA CCu/vxvUZvNAU0F+Ga2WKTBMTzV80A== =r6An -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1C17C92B-AFC2-4B7A-9594-25864156A546>